WMUG

Using the TLS cipher in Configuration Manager

Before we get into this I should state that I’m not an IT security expert, I apologise up front for any inaccuracies or misunderstandings I may have made in this post. Feel free to correct me in the comments

I was asked recently to extend an existing Configuration Manager environment to manage a number of untrusted devices. The solution to this involved creating a new HTTPS enabled management point, distribution point and software update point. One specific request that came in was that the solution should use TLS 1.2 where possible. This for me at least is not a common ask so off I went to check out the possibilities. If we look at the Microsoft TechNet library we can find some small print...

“We recommend the disabling of SSL 3.0, the enabling of TLS 1.1, and 1.2, and the reordering of TLS-related cipher suites, to improve the security of your Configuration Manager servers. You can learn how to take these actions in this KB article. This action will not affect Configuration Manager functionality.”

So Microsoft actually recommend disabling SSL 3 and enabling TLS 1.1 and 1.2. I know this may not come as a big surprise to many security minded folk but to others it may. This can be applied and is supported with all relevant Configuration Manager roles as per the statement above. So with that in mind we need to know to how to go about it.

The long way around…

In here we can see that there are registry keys on the server under [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols]

We can then see the necessary protocols listed below something like this:

Below each of these keys we should create a

DWORD value of ‘Enabled’ which can be set to 0 or 1

We can also create a

DWORD value of DisabledByDefault which can also be set to 0 or 0xffffffff.

Something like this:

Once you have made the required changes you must restart the server for it to take effect.

The shortcut…

I chatted to a couple of friends who happen to work for an e-tailer about this as I know they are responsible for a number of servers which must comply to payment card industry data security standards (PCI-DSS). Sure enough they were quite familiar with this and recommended a free tool which does the work for you. Enter IIS Crypto from Nartac Software.

This tool allows you to choose from the following standard compliance crypto settings:

Best Practice

PCI-DSS

FIPS 140-2

Alternatively you can pick and choose whichever settings you want or need. We can also re-order the cipher suites as is also recommended by Microsoft. Just be warned though if you do use the templates you get to see what is enabled but you don’t get to see what is actually changed, you would need to use a tool like RegShot to track the specific changes. Top tip is to test it in lab first to be certain.

So there you have it, next time you’re asked “can Configuration Manager support TLS v1.2?” you can safely say yes.